CMS Provider Sitecore Patches Exploited Critical Zero Day

In a report published on September 3, Mandiant, part of Google Cloud, said that the attack leveraged exposed ASP.NET machine keys in Sitecore deployment guides from 2017 and earlier to perform remote code execution (RCE).

Ryan Dewhurst, head of proactive threat intelligence at WatchTowr, commented: “The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones - a move we don’t recommend.”

The threat actor demonstrated sophisticated knowledge of the targeted product and its vulnerabilities, executing a methodical attack chain:

1. Initial Access: Exploited CVE-2025-53690 on an internet-facing Sitecore instance, achieving RCE.
2. Reconnaissance and data theft: Deployed WEEPSTEEL malware via a decrypted ViewState payload for internal reconnaissance; archived the web application’s root directory, likely targeting sensitive files, such as web.config; conducted host and network reconnaissance.
3. Persistence: Placed additional tooling in a public directory, including EARTHWORM (open-source network tunneling), DWAGENT (open-source remote access trojan) and SHARPHOUND (open-source AD reconnaissance).
4. Privilege escalation and lateral movement: Created local admin accounts and dumped SAM/SYSTEM hives to harvest cached credentials; used RDP for lateral movement after credential compromise; maintained persistence via DWAGENT while conducting Active Directory reconnaissance.

To read the complete article, see: Infosecurity Magazine.